The openvpn manpage says, under auth-user-pass-verify about "via-env":

"Be aware that this method is insecure on some platforms which make the environment of a process publicly visible to other unprivileged processes."

Fucking... WHICH PLATFORMS. I can find no additional information about this. Pls T_T